Cryptographic Malware Spreads via USB and Uses Tor to Steal Credentials

What happened?

Microsoft has detected a new cryptocurrency-stealing malware that spreads via USB drives. Dubbed Crypto Clipper, this worm monitors the clipboard of the infected device for cryptocurrency wallet addresses or seed phrases. When found, it replaces them with addresses controlled by the attackers, thus diverting payments. Additionally, it takes five screenshots within a 10-second interval to provide context to the attacker.

Most notable is its propagation and communication method. The malware distributes through .lnk files (shortcuts) on USB drives. When an infected drive is connected, the code checks if it is already installed on the computer; if not, it downloads the full payload through a built-in Tor proxy. This allows the malware to operate without an exposed IP-based command and control (C2) infrastructure, instead using the Tor network to anonymize traffic. Microsoft has observed that the malware can also execute remote code, making it a lightweight backdoor. The company believes the purpose of the screenshots is to provide contextual information that may be useful to attackers.

According to Microsoft's report, the worm also scans the infected USB drive and names the .lnk files similar to existing ones to hide. Once installed, the malware replaces cryptocurrency addresses in the clipboard with addresses controlled by the attackers, enabling payment diversion. Microsoft highlights that this malware family shows how lightweight script-based thefts can have a disproportionate impact when combined with anonymous communications and runtime tasks.

Why is it important?

This finding is significant for several reasons. First, it demonstrates an evolution in cybercriminal tactics: combining physical propagation techniques (USB) with anonymous communications (Tor) and cryptocurrency credential theft. Second, the ability to execute remote code turns a simple clipper into a persistent threat that can be used for other malicious purposes, such as deploying ransomware or espionage.

Moreover, using Tor to hide C2 communication makes detection and blocking by traditional security systems difficult. USB propagation is particularly dangerous in corporate environments where removable devices are common, and it can bypass network defenses. Microsoft notes that the combination of Tor-routed C2, screenshot capture, and remote code execution offers attackers both immediate monetization avenues and ongoing control over compromised devices.

The potential impact is broad: from stealing cryptocurrency funds from individual users to compromising entire corporate systems. As cryptocurrencies continue to gain adoption, malware targeting them becomes more frequent. According to Chainalysis data, over $3.8 billion in cryptocurrency was stolen in 2024, a significant increase from previous years. This type of malware could contribute to that trend.

Consequences and recommendations

For individual users, the primary risk is loss of cryptocurrency funds if the malware successfully replaces addresses in transactions copied to the clipboard. For businesses, the threat is twofold: theft of digital assets and potential system compromise through the backdoor. Companies that handle cryptocurrencies or have employees who use them are especially vulnerable.

Microsoft recommends the following measures:

• Disable autorun for USB drives on systems.
• Always scan USB drives with antivirus software before using them.
• Use hardware wallets for cryptocurrencies, which do not rely on the clipboard.
• Keep systems updated and use security solutions that detect anomalous behavior, such as unauthorized Tor usage.

Additionally, organizations should implement USB security policies, such as using locked ports or device control software. It is also advisable to educate employees about the risks of connecting unknown USB devices. Since the malware uses Tor, security teams can monitor network traffic for unauthorized Tor connections, though this can be technically challenging.

Context and comparisons

This is not the first malware to use Tor to hide its C2; previous examples include TorRAT and OnionDuke. However, the combination with USB propagation and cryptocurrency theft is novel. The clipper technique (replacing clipboard addresses) has been seen in malware like CryptoShuffler and EvilClippy, but without self-propagation capability.

The use of .lnk files for propagation recalls worms like Stuxnet and Conficker, though these had different targets. Stuxnet, for example, spread via USB to attack SCADA systems, while Conficker exploited network vulnerabilities. The malware's lightweight nature (script-based) and ability to download additional components make it flexible and hard to eradicate. Microsoft highlights that this malware is an example of how script-based thefts can have a disproportionate impact.

In the current threat landscape, the combination of physical vectors and anonymization is particularly concerning. USB propagation allows bypassing perimeter defenses, and Tor usage hinders tracking. This type of malware could mark a trend toward stealthier and more targeted attacks. Additionally, the remote code execution capability opens the door to secondary attacks, such as ransomware deployment or corporate data theft.

In conclusion, Crypto Clipper represents a significant evolution in cryptocurrency-stealing malware. Its modular design and ability to operate anonymously make it a serious threat to both individuals and businesses. The combination of known techniques in a novel way demonstrates the increasing sophistication of cybercriminals. The security community must remain vigilant and adopt proactive measures to mitigate such threats.